IN THE CLAIMS: 



The following is a current listing of claims and will replace all prior versions and listings 
of claims in the application. Please amend the claims as follows: 

1-104. (Canceled) 

105. (Currently Amended) A computer-implemented method comprising: 

selecting an active program on a computer system as code under investigation^,]] 
wherein at least some of the code associated with the selected active program is running in kernel 
mode ; and 

executing malicious code detection code (MCDC) on the computer system, wherein the 
MCDC includes a first and a second plurality of detection routines, wherein said executing 
includes: 

applying each of the first plurality of detection routines to the code under 
investigation to obtain a corresponding one of a first plurality of results; 

weighting each of the first plurality of results to obtain a first score indicative 
of whether the code under investigation is has characteristics and/or behaviors 
typically associated with valid code; 

applying each of the second plurality of detection routines to the code under 
investigation to obtain a corresponding one of a second plurality of results; 

weighting each of the second plurality of results to obtain a second score 
indicative of whether the code under investigation i* has characteristics and/or 
behaviors typically associated with malicious code , wherein the second score is 
obtained independently of the first score ; and 

using the first and second scores to determine categorize whether the code under 
investigation with respect to the likelihood of the code under investigation compromising 
the security of the computer system is malicious code . 

106. (Currently Amended) The method of claim 105, wherein the code under investigation has 
access to other active programs executing on the computer system , and wherein execution of the 
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MCDC does not preclude the selected active code from directly interfacing with an operating 
system of the computer system . 

107. (Currently Amended) The method of claim 105, further comprising: 

selecting , in turn, one or more each additional active program[[s]] on the computer 
system as code under investigation; and 

executing said MCDC with respect to said selected code under investigation. 

108. (Canceled) 

109. (Currently Amended) The method of claim 105, wherein the second plurality of 
detection routines are configured to detect malicious code includes remote control software. 

110. (Currently Amended) The method of claim 105, wherein the second plurality of 
detection routines are configured to detect malicious code includes a keystroke logger. 

111. (Currently Amended) The method of claim 105, wherein the second plurality of 
detection routines are configured to detect malicious code includes spyware. 

112. (Currently Amended) The method of claim 105, wherein the second plurality of 
detection routines are configured to detect malicious code includes a worm. 

113. (Currently Amended) The method of claim 105, wherein the second plurality of 
detection routines are configured to detect malicious code includes a virus. 

114. (Currently Amended) The method of claim 105, wherein the second plurality of 
detection routines are configured to detect malicious code includes monitoring software. 

115. (Currently Amended) A computer-implemented method comprising: 

selecting code currently running on a computer system as code under investigation, 
wherein said code is running in a manner that permits infection of said computer system; and 

executing malicious code detection code (MCDC) on the computer system, wherein the 
MCDC includes a first and a second plurality of detection routines, wherein said executing 
includes: 
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applying each of the first plurality of detection routines to the code under 
investigation to obtain a corresponding one of a first plurality of results; 

weighting each of the first plurality of results to obtain a first score indicative 
of whether the code under investigation is has characteristics and/or behaviors 
typically associated with valid code; 

applying each of the second plurality of detection routines to the code under 
investigation to obtain a corresponding one of a second plurality of results; 

weighting each of the second plurality of results to obtain a second score 
indicative of whether the code under investigation is has characteristics and/or 
behaviors typically associated with malicious code , wherein the second score is 
independent of the first score ; and 

using the first and second scores to categorize determine whether the code under 
investigation into one of a plurality of categories, including first and second categories 
indicative of valid code and malicious code, respectively is malicious code . 

116. (Previously Presented) The method of claim 115, wherein the code under investigation 
has access to other active code executing on the computer system. 

1 17. (Previously Presented) The method of claim 115, wherein at least some of the code 
associated with the selected active code is running in kernel mode. 

118. (Previously Presented) The method of claim 1 15, further comprising: 
selecting additional active code as code under investigation; and 
executing said MCDC with respect to said selected code under investigation. 

119-126. (Canceled) 

127. (Currently Amended) A computer system comprising: 
a processor; and 

a memory storing program instructions executable by the processor to: 

select a program currently running on a computer system as code under 
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investigation, wherein said program is running in a manner that permits infection of said 
computer system; and 

execute malicious code detection code (MCDC) on the computer system, wherein 
the MCDC includes a first and a second plurality of detection routines, including: 

applying each of the first plurality of detection routines to the code 
under investigation to obtain a corresponding one of a first plurality of results; 

weighting each of the first plurality of results to obtain a first score 
indicative of whether the extent to which the code under investigation is has 
characteristics and/or behaviors typically associated with valid code; 

applying each of the second plurality of detection routines to the code 
under investigation to obtain a corresponding one of a second plurality of 
results; 

weighting each of the second plurality of results to obtain a second 
score indicative of whether the extent to which the code under investigation is- 
has characteristics and/or behaviors typically associated with malicious code; 
and 

using the first and second scores to determine whether the code under 
investigation represents a security threat to the computer system is malicious 
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128. (Currently Amended) A computer-readable memory medium, including program 
instructions that are computer executable by a computer system to: 

select a program currently running on [[a]] the computer system as code under 
investigation, wherein said program is running in a manner that permits infection of said 
computer system; and 

execute malicious code detection code (MCDC) on the computer system, wherein the 
MCDC includes a first and a second plurality of detection routines, and wherein execution of the 
MCDC includes [[ing]]: 

applying each of the first plurality of detection routines to the code under 
investigation to obtain a corresponding one of a first plurality of results , wherein the 
first plurality of detection routines test for characteristics and/or behaviors typically 
associated with valid code ; 

weighting and combining each of the first plurality of results to obtain a first 
composite score indicative of whether the code under investigation is valid code ; 

applying each of the second plurality of detection routines to the code under 
investigation to obtain a corresponding one of a second plurality of results , wherein 
the first plurality of detection routines test for characteristics and/or behaviors 
typically associated with malicious code ; 

weighting and combining each of the second plurality of results to obtain a 
second composite score indicative of whether the code under investigation is malicious 
eode; and 

using the first and second scores to determine whether the code under 
investigation is malicious code. 

129. (Previously Presented) The method of claim 105, further comprising: 

determining from the first and second scores that the code under investigation is 
malicious code. 
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130. (Previously Presented) The method of claim 129, wherein the malicious code does not 
have a known signature. 

131 . (Currently Amended) The method of claim 105, wherein a signature associated with the 
code under investigation is not used by the first plurality of detection routines includes routines 
that examine the behavior of the code under investigation . 

132. (Currently Amended) The method of claim 131, wherein a signature associated with the 
code under investigation is not used by the second plurality of detection routines includes 
routines that examine the behavior of the code under investigation . 

133. (Currently Amended) The method of claim 105, wherein the malicious code is a 
previously unknown type of malicious code first and second plurality of detection routines are 
not specific to the code under investigation . 

134. (Previously Presented) The method of claim 129, wherein the determination that the 
code under investigation is malicious code is based on the first score not exceeding a valid 
code threshold value and the second score exceeding a malicious code threshold value. 

135. (Previously Presented) The method of claim 105, further comprising: 
determining from the first and second scores that the code under investigation is valid 

code. 

136. (Previously Presented) The method of claim 135, wherein the determination that the 
code under investigation is valid code is based on the first score exceeding a valid code 
threshold value. 

137. (Previously Presented) The method of claim 105, further comprising: 

determining from the first and second scores that the code under investigation is 
suspicious code, wherein suspicious code has not been determined to be either valid or 
malicious code. 

138. (Previously Presented) The method of claim 137, wherein the code under investigation is 
determined to be suspicious code based on the first and second scores being similar. 
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139. (Previously Presented) The system of claim 127, further comprising program 
instructions executable by the processor to: 

determine from the first and second scores that the code under investigation is malicious code. 

140. (Currently Amended) The system of claim 139, wherein the malicious code is a 
previously unknown type of malicious code does not have a known signature . 

141. (Previously Presented) The system of claim 139, wherein the determination that the 
code under investigation is malicious code is based on the first score not exceeding a valid 
code threshold value and the second score exceeding a malicious code threshold value. 

142. (Previously Presented) The system of claim 127, further comprising program 
instructions executable by the processor to: 

determine from the first and second scores that the code under investigation is valid 

code. 

143. (Previously Presented) The system of claim 142, wherein the determination that the 
code under investigation is valid code is based on the first score exceeding a valid code 
threshold value. 

144. (Previously Presented) The system of claim 127, further comprising program 
instructions executable by the processor to: 

determine from the first and second scores that the code under investigation is 
suspicious code. 

145. (Previously Presented) The memory medium of claim 128, further comprising program 
instructions executable to: 

determine from the first and second scores that the code under investigation is malicious code. 

146. (Currently Amended) The memory medium of claim 145, wherein the malicious code is 
a previously unknown type of malicious code does not have a known signature . 
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147. (Previously Presented) The memory medium of claim 128, further comprising program 
instructions executable to: 

determine from the first and second scores that the code under investigation is valid 

code. 

148. (Previously Presented) The memory medium of claim 147, wherein the determination 
that the code under investigation is valid code is based on the first score exceeding a valid code 
threshold value. 

149. (Previously Presented) The memory medium of claim 128, further comprising program 
instructions executable to: 

determine from the first and second scores that the code under investigation is 
suspicious code. 

150. (New) The memory medium of claim 145, wherein the determination that the code 
under investigation is malicious code is based on the first score not exceeding a valid code 
threshold value and the second score exceeding a malicious code threshold value. 

151. (New) The method of claim 105, wherein at least some of the code associated with the 
selected active program is running in kernel mode. 

152. (New) One or more computer-readable media storing program instructions executable on 
a computer system to: 

determine a first value indicative of valid code characteristics and/or behaviors exhibited 
by a first program running on the computer system; 

independently determine a second value indicative of malicious code characteristics 
and/or behaviors exhibited by the first program; 

based on comparisons involving the first and second values, determine whether the first 
program is a security threat to the computer system. 

153. (New) The computer-readable media of claim 152, wherein the program instructions are 
executable to determine whether the first program is a security threat to the computer system 
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based on a first comparison between the first value and a valid code threshold value and also 
based on a second comparison between the second value and a malicious code threshold value. 

154. (New) The computer-readable media of claim 152, wherein the program instructions are 
executable to determine that the first program is a security threat to the computer system based 
on the first value not exceeding a valid code threshold value and on the second value exceeding a 
malicious code threshold value. 

155. (New) The computer-readable media of claim 152, wherein the program instructions are 
executable to determine that the first program is not a security threat to the computer system 
based on the first value exceeding a valid code threshold value. 

156. (New) The computer-readable media of claim 152, wherein the program instructions are 
executable to determine that the first program is not a security threat to the computer system 
based on the first value exceeding a valid code threshold value and on the second value not 
exceeding a malicious code threshold value. 

157. (New) The computer- readable media of claim 152, wherein the program instructions are 
executable to determine that it is unclear whether the first program is a security threat to the 
computer system based on the first value and the second value not being significantly different 
from one another. 

158. (New) The computer-readable media of claim 152, wherein the program instructions are 
executable to determine that it is unclear whether the first program is a security threat to the 
computer system based on the first value exceeding a valid code threshold value and the second 
value exceeding a malicious code threshold value. 

159. (New) A method, comprising: 

computing a first score indicative of valid code characteristics and/or behaviors exhibited 
by a first program running on a computer system; 

computing a second value indicative of malicious code characteristics and/or behaviors 
exhibited by the first program; 
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using the first and second values to categorize the first program as to the likelihood of the 
first program compromising the security of the computer system. 

160. (New) The method of claim 159, wherein the malicious code characteristics include 
whether the first program has a signature associated with malicious code. 

161. (New) The method of claim 159, wherein the malicious code behaviors include whether 
the first program is performing actions typically associated with one or more types of malicious 
code. 

162. (New) The method of claim 159, wherein said using includes performing comparisons 
involving the first and second values. 

163. (New) The method of claim 162, wherein said first program is categorized based on a 
comparison between the first score and a valid code threshold. 

164. (New) The method of claim 163, wherein the first program is categorized as not being a 
security threat based on the first score exceeding the valid code threshold. 

165. (New) The method of claim 162, wherein said first program is categorized based on a 
comparison between the first score and a valid code threshold and also on a comparison between 
the second score and a malicious code threshold. 

166. (New) The method of claim 165, wherein the first program is categorized as not being a 
security threat based on the first score exceeding the valid code threshold and the second score 
not exceeding the malicious code threshold. 

167. (New) A computer system, comprising: 

first means for determining a first value indicative of the extent to which a first program 
running on the computer system has characteristics and/or behaviors typically associated with 
valid code; 

second means for determining a second value indicative of the extent to which the first 
program has characteristics and/or behaviors typically associated with malicious code; 
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third means for categorizing, using the first and second values, the first program with 
respect to whether the first program presents a security threat to the computer system. 
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